Amos Jeffries wrote: > That seems very strange. Very strange. > > Squid using internal DNS resolver sends out UDP packets and waits for a > reply positive or negative. Using that. > > The NXDOMAIN results make sense if we assume they come back with some > TTL so short Squid needs to run through the DNS timeouts on every request. > > The silent drop case is a head scratcher of a puzzle. That is the one > that should be getting very long timeouts while Squid waits for a reply > that will never arrive. > > > Anyway, getting rid of the "dst" ACL and making sure the peer is > configured with an IP address should prevent any DNS lookups. > IIRC your config already has the log_fqdn setting turned off. > > Amos Hello Amos, My last assumption was wrong. It seems that there is some "optimization" in the kernel so that a silent drop of packets is handled the same as a drop with ICMP packet. Therefore the named replied a lot faster than usual with SERVFAIL. Nevertheless, we're going to remove the dst-ACL which is not needed in this case. Thank you for your help! -- Matthias
